CVE-2025-27093
📋 TL;DR
This vulnerability in Sliver's Wireguard netstack allows unrestricted communication between Wireguard clients, enabling compromised implants to attack operators or access port forwardings from other implants. It affects Sliver versions 1.5.43 and earlier, plus development version 1.6.0-dev. Operators using vulnerable Sliver deployments are at risk.
💻 Affected Systems
- Sliver C2 Framework
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with a recovered keypair could pivot through the Wireguard network to compromise operator infrastructure, steal sensitive data, or launch attacks against other implants.
Likely Case
Compromised implants could communicate with each other to exfiltrate data, coordinate attacks, or access port forwardings intended only for operator use.
If Mitigated
With proper network segmentation and access controls, the impact is limited to lateral movement within the Wireguard network only.
🎯 Exploit Status
Exploitation requires access to a compromised implant or recovered Wireguard keypair, then using that to communicate with other clients.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.44 or later (stable), development builds after commit 8e5c5f14506d6d60ebb3362e6b9857ab1e0d76ff
Vendor Advisory: https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7
Restart Required: No
Instructions:
1. Update Sliver to version 1.5.44 or later. 2. For development versions, ensure you have commits 8e5c5f14506d6d60ebb3362e6b9857ab1e0d76ff and 9122878cbbcae543eb8210f616550382af2065fd. 3. Restart Sliver services if they were running.
🔧 Temporary Workarounds
Network Segmentation
allImplement firewall rules to restrict traffic between Wireguard clients at the network level.
Key Rotation
allRegularly rotate Wireguard keypairs to limit exposure window if keys are compromised.
🧯 If You Can't Patch
- Implement strict network segmentation using host firewalls to block inter-client communication
- Monitor network traffic between Wireguard clients for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Sliver version with 'sliver-server --version' or 'sliver-client --version'. If version is 1.5.43 or earlier, or development version without the fix commits, you are vulnerable.Check Version:
sliver-server --versionVerify Fix Applied:
After updating, verify version is 1.5.44 or later. Test that Wireguard clients cannot communicate directly with each other.📡 Detection & Monitoring
Log Indicators:
- Unexpected connections between Wireguard client IPs in Sliver logs
- Failed authentication attempts from unexpected sources
Network Indicators:
- Traffic between Wireguard client IPs that should be isolated
- Unexpected port scanning or connection attempts from Wireguard network
SIEM Query:
source_ip IN (wireguard_client_ips) AND dest_ip IN (wireguard_client_ips) AND source_ip != dest_ip🔗 References
- https://github.com/BishopFox/sliver/commit/8e5c5f14506d6d60ebb3362e6b9857ab1e0d76ff
- https://github.com/BishopFox/sliver/commit/9122878cbbcae543eb8210f616550382af2065fd
- https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7
- https://github.com/BishopFox/sliver/security/advisories/GHSA-q8j9-34qf-7vq7
